Red Hat will pay Verisign to sign Fedora for Microsoft's UEFI Secure Boot

LINUX VENDOR Red Hat will pay Verisign to sign Fedora 18 so it can work with Microsoft's UEFI Secure Boot.

Microsoft has ordered all PC makers shipping Windows 8 PCs to have its UEFI Secure Boot feature enabled, which poses a significant hurdle for users should they want to install a different operating system. Now the Red Hat sponsored Fedora project has said it intends to pay Verisign $99 to sign its software.

Microsoft's intention with UEFI Secure Boot is to only allow trusted software to interact with PC hardware, including bootloaders and drivers. However many observers have pointed out that the company can also use this requirement to make it extremely difficult for users to install alternative operating systems.

Although Microsoft offers a signing portal, Red Hat's Matthew Garrett said the Fedora project had considered a number of alternatives, including creating a catch-all Linux key, but that paying Verisign a one-off $99 fee for a key was the easiest and most pragmatic solution.

Garrett said, "The $99 goes to Verisign, not Microsoft - once paid you can sign as many binaries as you want, but it's cheaper than any realistic alternative would have been. It ensures compatibility with as wide a range of hardware as possible and it avoids Fedora having any special privileges over other Linux distributions."

Garrett also confirmed that all drivers shipped with Fedora will be signed but also rightly said that it can't sign 'out of tree' drivers. Fedora will also be signing all kernel modules and, Garrett said, "locking down certain aspects of kernel functionality".

While Verisign will be receiving $99 from Fedora and presumably the Ubuntu project and other Linux distributions, it is Microsoft that is the real winner, so far, since it is clear that UEFI Secure Boot will hurt not just Linux distributions but any operating systems that don't have the resources to sign everything to meet Microsoft's unilaterally imposed security regime. µ